JP2815436B2 - Cooperative distributed control system - Google Patents

Description

[Detailed description of the invention] [Industrial application field] The present invention relates to a failure of a control device or a plant abnormality.
The present invention relates to a cooperative distributed control system in which functions are reconfigured by a cooperative operation between adjacent control devices within a sampling time of process information (hereinafter, referred to as a control cycle) and a function of the plant control is maintained.

[Conventional technology]

Generally, in plant control, the plant is divided into a plurality of subsystems, process information is obtained from each subsystem, and control processing (hereinafter, referred to as a task) is performed.

FIG. 6 is a block diagram showing a configuration of a distributed control system as a first conventional example disclosed in, for example, JP-A-61-16646. In the figure, HC controls each of the control devices P1, P2, and P3. A host computer to be managed, which is connected by a transmission line 2, and each of the control devices P1, P2, and P3 is a detector S for acquiring each process information of a plant, and an operating device P for controlling the plant in accordance with a result of executing a task. It is connected to the.

Further, the control device P1 connects the input / output unit I1 having storage circuits I11 and I12 for storing process information and task execution results (control information), usually the transmission line B1 and the control unit C1, and connects the control unit C1 to the control unit C1. When a failure occurs, the control unit C1 includes a changeover switch SW1 that sets the transmission line B1 into a bypass state and a signal transmission circuit C11, C12 and performs a task, and the other control devices P2, P3 are similarly configured. It is configured.

FIG. 7 is a block diagram showing a configuration of a distributed control system as a second conventional example disclosed in, for example, Japanese Patent Application Laid-Open No. 58-64502. In FIG. A host computer that manages control devices A, B, and C.
Each of the control devices A, B, and C is connected to detectors 10A, 10B, and 10C that acquire each process information of the plant, and operating devices 11A, 11B, and 11C that control the plant according to a result of executing a task. . Further, the control device A is a CPU that executes a task.
Unit 3A, other control devices B and C or host computer 1
A communication unit 4A that communicates with the processor, a program reconfiguration unit 5A for executing a task, a process input / output unit 8A that exchanges data with the detector 10A and the operation unit 11A, and a task program executed by the control device A. The memory units 6A and 7A for storing all the data and the process input / output unit 8A, the detector 10A, and the operating device 1
1A, and if the control device A fails, the relay signal line
It is composed of a changeover switch 9A for setting 12AB and 12BA to the bypass state, and the other control devices B and C are similarly configured.

 Next, the operation of the first conventional example will be described.

Since the operations of the control devices P1, P2, and P3 are the same, the operation of the control device P1 will be described here.

First, the input / output unit I1 having acquired the process information by the detector S stores the process information in the storage circuit I11 and outputs the process information to the changeover switch SW1 via the transmission line B1. The changeover switch SW1 is normally connected to the control unit C1, and the process information is input to the control unit C1 by the signal transmission circuit C11 to execute a predetermined task. And
When the execution of the task is completed, the control information as the execution result is output from the signal transmission circuit C12. This control information is stored in the storage circuit I12 of the input / output unit I1 via the changeover switch SW1 and the transmission path B1, and is also sent to the operation device P.

Next, an operation of the control unit C3 when the control unit C2 fails, for example, will be described.

At this time, the changeover switch SW2 puts the transmission line B2 into a bypass state, and disconnects the connection with the control unit C2. Control unit C3
Detects the failure of the control unit C2 by receiving the response of the input / output unit I2 when accessing the input / output unit I2, and detects the control information (control information) stored in the storage circuit I22 of the input / output unit I2. Part C
2 is control information immediately before the abnormality, for example, an integral constant, a proportional constant, or a current integral value, and the data amount is not so large. Start bumpless backup on behalf of C2 function.

 Next, the operation of the second conventional example will be described.

Since the operation of each control device A, B, C is the same,
Here, the operation of the control device A will be described.

First, the process information obtained by the detector 10A is input to the process input / output unit 8A via the changeover switch 9A. Using this process information, the control program assigned to the control device A is read out of the control programs stored in the memory 6A, and the task is executed by the CPU 3A. Then, when the execution of the task is completed, the control information as the execution result is output from the process input / output unit 8A to the operation device 11A via the changeover switch 9A.

Next, the operation of the control device C when the control device B fails, for example, will be described.

At this time, the changeover switch 9B puts the transmission lines 12CB and 12BC into a bypass state and disconnects the control device B. The control device C connects and accommodates the detector 10B and the operating device 11B,
The control program transferred from the failed control device B and the control program of the control device C are successively stored in the memory unit 6C, an important control program is selected by the program reconfiguration unit 5C, and the task is executed by the CPU unit 3C. This guarantees the execution of important tasks that should be performed by the failed control device B.

[Problems to be Solved by the Invention] Since the distributed control system of the first conventional example is configured as described above, the control device that backs up the function of the adjacent control device performs backup in addition to the original function. Since the load increases because the function is also assigned, the processing capacity of each control device needs to be previously given a margin to double the original function. Further, if a control device that is already performing a backup operation fails, all the functions are assigned to a device capable of backing up the two failed control devices. And a dynamic allowance for the function is required.

Further, since the distributed control system of the second conventional example is configured as described above, the important functions of the failed control device are transferred to the backup control device and the functions of the backup control device are reconfigured. It is necessary not to exceed the control cycle, including the time to perform. If the functions to be backed up are not equally allocated to all the control devices, important functions will be concentrated on one control device, and there is a possibility that important functions are not selected as a whole.

As described above, in the first and second conventional examples, there is a problem that a function or a load is concentrated on a specific control device, and a function (processing) at that time may not satisfy a control cycle. .

The present invention has been made in order to solve the above-described problems, and is capable of adjoining a control function or a load while satisfying a control cycle with respect to a state or environment change such as a failure of a control device or an abnormality of a target plant. An object of the present invention is to obtain a cooperative distributed control system in which distributed control and reconfiguration is performed uniformly on all control devices by cooperative operation between control devices, and a function of plant control is adaptively maintained.

[Means for solving the problem]

In the distributed cooperative control system according to the present invention, each control device performs a local communication for transferring a task execution right to an adjacent control device for each control cycle, and determines a function allocation such that loads are equalized. Perform scheduling and degrade low priority functions to prevent overload,
Autonomous scheduling for terminating an execution task within the control cycle time is performed.

[Action]

The control device according to the present invention determines a function to be shared between adjacent control devices by distributed scheduling for each control cycle, and prevents overload on a specific control device by autonomous scheduling, so that the control cycle is repeated. Each time, the load can be dispersed, and the optimal function distribution state can be achieved in the sense of risk distribution.

(Example of the invention)

 An embodiment of the present invention will be described below with reference to the drawings.

FIG. 1 is a block diagram showing the configuration of a cooperative distributed control system according to an embodiment of the present invention, in which 13 is a plant to be controlled, 14 is a detection unit for acquiring process information of the plant 13 and control information. An input / output unit comprising an operating device for operating the plant, 15a, 15b, 15c, 15d, and 15e are control devices for controlling the plant, respectively, and 16 is the input / output unit.
Reference numeral 14 denotes a transmission line for transmitting and receiving arbitrary process information, and 17 denotes a transmission line for performing local communication between control devices.

Next, FIG. 2 and FIG.
This will be described with reference to the flowchart in FIG.

Normally, as shown in FIG. 2A, the control devices 15a to 15e perform local communication (steps ST1a and ST2a), perform distributed scheduling (step ST3a), and execute a task within each control cycle time. Is working to end. At this time, since each control device communicates only with the adjacent control device, the failure detection of the adjacent control device, the function of switching the adjacent control device to the next device at the time of failure and the reconnection function at the time of failure recovery are provided. Each controller must have one. In order to satisfy these functions, local communication is based on asynchronous communication in which a message is sent by designating the address of the other party, and the data is buffered on the receiving side and read as needed.

Assuming that the control device 15c fails as shown in FIG. 2 (b), the failure detection is performed by the transmission side when the reception side is not received even after waiting for a certain time when performing distributed scheduling between adjacent control apparatuses. A time-out determination method for determining that a failure has occurred is used (step ST4). The control device that has detected this failure searches for the next adjacent control device from the database of the network connection stored by itself (step ST).
5) Further, the address of the adjacent control device is changed (step ST6), and thereafter, the distributed scheduling is performed as the adjacent control device (step ST6).
7). It should be noted that the network connection data pace only needs to be able to cope with multiple failures to be considered, and does not need to have all data.

Further, the control devices 15b and 15d adjacent to the failed control device 15c also share the functions and loads that the control device 15c has shared as shown in FIG. 3 (c). As shown in FIG. 3 (d), the load is distributed by distributed scheduling as the control cycle is repeated, and finally, as shown in FIG. 2 (e), the load of each of the control devices 15a, 15b, 15d, 15e is increased. Converges to a uniform state as a whole and stabilizes.

Then, when the failed control device 15c is restored, the control device 15c transmits the restoration to the adjacent control devices 15b and 15d described in the database described above (step ST8a). If the adjacent control device is normal, there is a reply in the next control cycle, but if there is a failure, there is no response, so a failure is detected by the timeout failure determination method (step ST9a). Then, the same message is transmitted to the adjacent control device beyond (step ST10a). When communication from the adjacent control devices 15b and 15d is obtained, the newly recovered control device 15c sends a message to both devices to synchronize, and the control device 15c recovered from the next control cycle participates in distributed scheduling.

Performing distributed scheduling for each control cycle
Although it seems that extra time is wasted than determining the function distribution configuration at once just after a failure, the method in which the load suddenly increases only for a specific control cycle provides sufficient processing capacity to satisfy the control cycle at that time. Must be performed, which makes the control device expensive. Further, in the present invention, since only communication is performed with adjacent control devices and each device operates in parallel, the time required for one distributed scheduling can be shortened without being proportional to the number of control devices.

Next, the operation of distributed scheduling will be described with reference to the flowchart of FIG.

Distributed scheduling is performed between two adjacent controllers, which are performed in parallel on all controllers.
The function and load currently assigned are transmitted to the control device on the right side in the figure. Reception is interrupt processing prior to transmission, so transmission from the control device on the left side in the figure is possible even during transmission by itself (step ST11). Next, the self-load is compared with the control device on the left side, and when the difference exceeds a certain threshold, the function allocation is changed, and the process is repeated until the difference in load falls below the threshold (step ST12), and the function allocation is determined (step ST1).
3). The determined function allocation is transmitted to the left side, and the scheduling result with the right side is interrupted from the right side (step ST14).

This operation is the same for all the control devices, and even if any control device fails, the operation can be performed normally only by connecting to the adjacent control device without changing the operation.

The above example is transmitted from the left device and returned from the right device,
You may go in the opposite direction.

This means that when the control device 15c described above breaks down, even if the control device 15c is disconnected by the previous network reconnection function and the control devices 15b and 15d are adjacent to each other, even when the failure is recovered. The same is true.

In addition, since the operation of all the control devices is the same, the process may be performed from any control device. From this, all the control devices can perform distributed scheduling in parallel with each other, and the synchronization of the entire control device is controlled by the control device. Although it is guaranteed by the transmission and reception of process information performed periodically, it is also possible to synchronize locally by waiting for reception of distributed scheduling.

In this distributed scheduling, in order to guarantee that a certain function is not lost or duplicated in the system, the task execution right is moved between the control devices, and the task is executed when the user has the task execution right. And guarantees the uniqueness of the task.

The control device divides the current task execution right into two, and transmits half of the right to the right. Then, the above-mentioned distributed scheduling is performed based on the execution rights obtained from the left side (steps ST11 to ST13), and the resulting task execution right is transmitted to the left control device and received from the right control device (step ST11). ST14). The task is executed (step ST16) according to the task execution right obtained by integrating the result assigned to the user by the scheduling on the left and the result obtained from the right (step ST15).

In order to back up the failed control device, the task execution right lost due to the responsibility of the failed control device may be restored by the control on both sides of the failed control device.

First, when transmitting the result of the distributed scheduling to the control device on the left side, the task in charge of itself is transmitted as backup information. That is, when the distributed scheduling is completed, the two (adjacent) control devices that have performed the distributed scheduling mutually know each other a task to be backed up when a failure occurs.

However, since the distributed scheduling is managed by the transfer of the task execution right, the backup information of the same task is not sent to the left and right control devices.For example, the control device 15c fails and the left and right control devices 15b, Based on the backup information obtained by the above-described distributed scheduling, the task 15d restores the task execution right lost due to the sharing of the failed control device 15c.

Next, the operation of autonomous scheduling will be described with reference to the flowchart of FIG.

In the present invention, the load is spread by performing local communication for each control synchronization and performing distributed scheduling in which functions are shared between adjacent control devices, but when the load distribution is not sufficiently advanced. When a failure occurs, there may be a case where the processing margin of the adjacent control device is insufficient.
In order to solve this drawback, after sharing functions by distributed scheduling, each control device performs autonomous scheduling in which the task execution mode is determined independently.

Also, the total of the task processing time having the task execution right and the time required for the distributed scheduling and the transfer of the process information is obtained (step ST17). If the control cycle is shorter than the control cycle time, the priority is lower. Change from task to simple mode. If the total processing time exceeds the control cycle time even when all the tasks are in the simple mode, the task is switched from the low priority task to the sleep mode and the task processing time is repeated until the task processing time falls below the control cycle time (steps ST19 to ST19).
ST20). Then, only the tasks that are not in the sleep mode are executed (step ST21).

Here, the execution mode is a mode in which the task is executed in each control cycle, and the simple mode is a mode in which, for example, the process information is sampled every other time to increase the task execution interval, and the priority is low. In the case of plant monitoring and control, there is little effect on maintaining the overall functions. The sleep mode is a mode in which a task is not executed.

If the simple mode cannot be set due to the limitation of the storage capacity of the control device, a method of performing autonomous scheduling in the normal mode and the sleep mode is adopted.

With this autonomous scheduling, even when the load is temporarily concentrated, such as when multiple failures occur successively, the functions with high priority are selectively executed, so that the entire main functions are maintained as much as possible. In addition, even when the function degradation occurs due to a local load increase, the load is distributed throughout by the above-described distributed scheduling, and the function degradation is resolved.

〔The invention's effect〕

As described above, according to the present invention, each control device performs local communication for transferring a task execution right to an adjacent control device for each control cycle, and determines the distribution of functions so that the loads become equal. In addition to performing the scheduling, the low-priority functions are degenerated to prevent overload, and the autonomous scheduling for ending the execution task within the control cycle time is performed. Therefore, a standby redundant system is prepared for each control device. There is no need to provide a cooperative distributed control system that improves fault tolerance against multiple faults.

[Brief description of the drawings]

FIG. 1 is a block diagram showing the configuration of a cooperative distributed control system according to one embodiment of the present invention, FIG. 2 is a diagram for explaining the failure operation of the cooperative distributed system according to one embodiment of the present invention,
FIG. 3 is a flowchart for explaining the operation of the cooperative distributed control system according to one embodiment of the present invention, FIG. 4 is a flowchart for explaining the operation of distributed scheduling of each control device in the present invention, and FIG. FIG. 6 is a block diagram showing the configuration of a first conventional example of a distributed control system, and FIG. 7 is a block diagram showing the configuration of a second conventional example of a distributed control system. FIG. In the figure, 13 is a plant, 14 is an input / output unit, and 15a to 15e are control devices. In the drawings, the same reference numerals indicate the same or corresponding parts.

Claims (1)

(57) [Claims] An input / output unit which contacts a plant and accumulates control information of a detector and an operating device, a plurality of control devices for controlling the plant, and an operation control panel which contacts an operator of the plant. In a distributed control system that maintains the function of the plant control by comparing the function of the failure control device to that of another control device, each control device has a task execution right between adjacent control devices for each control cycle. Perform local communication to move, perform distributed scheduling to determine function sharing so that the load becomes equal, degrade low-priority functions to prevent overload, and execute tasks within the control cycle time. A cooperative distributed control system characterized by performing autonomous scheduling for termination.